{"id":115,"date":"2008-09-25T10:46:59","date_gmt":"2008-09-25T15:46:59","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=115"},"modified":"2008-09-25T10:46:59","modified_gmt":"2008-09-25T15:46:59","slug":"security-in-agile-development-owasp-appsec-nyc-2008","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2008\/09\/25\/security-in-agile-development-owasp-appsec-nyc-2008\/","title":{"rendered":"Security in Agile Development &#8211; OWASP AppSec NYC 2008"},"content":{"rendered":"<p>This presentation, entitled &#8220;Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry&#8221; was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Manifesto for Agile Software Development<\/strong><\/span><\/p>\n<p>Individuals and interactions over processes and tools.\u00a0 Working software over comprehensive documentation.\u00a0 Customer collaboration over contract negotiation.\u00a0 Responding to change over following a plan.<\/p>\n<p><span style=\"text-decoration: underline;\"><strong>Agile Traits<\/strong><\/span><\/p>\n<ul>\n<li>Agile practices test driven development, pair programming, and doing the simplest thing.<\/li>\n<li>Planning Sprint (Sprint 0) &#8211; define user stories<\/li>\n<li>Develop in sprints and focus on what the customer wants first in short iterative development cycles<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Assurance is the Goal<\/strong><\/span><\/p>\n<ul>\n<li>&#8220;Assurance is the level of confidence that software functions as intended and is free of vulnerabilities, either intentionally or unintentionally designed or inserted as part of the software&#8221; &#8211; DOD<\/li>\n<li>Can agile software development methods generate assurance?<\/li>\n<li>&#8220;test-driven development places (functional) assurance squarely at the heart of development&#8221; &#8211; Johan Peters<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Waterfall Security is &#8220;Breadth First&#8221;<\/strong><\/span><\/p>\n<ul>\n<li>Build assurance layer-by-layer<\/li>\n<li>Challenges are problem space is very large, difficult to prioritize, &#8230;<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Agile vs Security<\/strong><\/span><\/p>\n<ul>\n<li>Where to insert security activities?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Security in Agile (nice chart here)<br \/>\n<\/strong><\/span><\/p>\n<ul>\n<li>Add Threat Modeling and Stakeholder Security Stories at the beginning between the Story FInding\/Initial Estimation<\/li>\n<li>Do periodic security sprints (if needed) between writing the story and scenario and implementing functionality and acceptance tests<\/li>\n<li>Do some independent expert testing and security architecture review support in the quality assurance phase<\/li>\n<li>Add Application Security Assurance Review between system testing and release phases<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Key Agile Security Enablers<\/strong><\/span><\/p>\n<ul>\n<li>Standard Security Controls: See the OWASP Enterprise Security API (ESAPI) Project<\/li>\n<li>Secure Coding Standards: How to properly use your standard security controls.\u00a0 How to avoid common security flaws.\u00a0 Automated code analysis.<\/li>\n<li>Developer Security Training: How to use your standard controls and avoid common flaws<\/li>\n<li>Support from Security Expers: Even with training and standard controls, security is hard.\u00a0 Access to security experts and independent testing\/analysis is key.\u00a0 Ideally, a security expert would be on the team (but usually not possible).<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Planning Sprint (Sprint 0)<\/strong><\/span><\/p>\n<ul>\n<li>Identify StakeholdersL Ask them what thier most important security concerns are.\u00a0 Work with them on the basic security controls required based on system purpose, environment, existence of such mechanisms, etc<\/li>\n<li>Confidentiality: Who is allowed to access what data and how?\u00a0 How important is protecting this data?\u00a0 Regulatory requirements?<\/li>\n<li>Integrity: What data must be protected and to what degree?<\/li>\n<li>Availability: How important is system availability?\u00a0 Can we define an SLA?<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Planning Sprint: Capture Risks in Stakeholder Security StoriesAssurance is the level of confidence<\/strong><\/span><\/p>\n<ul>\n<li>As a User&#8230;I want to be the only one who can access my account so that I can keep my information private.<\/li>\n<li>As a User&#8230;I want my personal information encrypted in storage and transit so that it doesn&#8217;t get stolen by attackers.<\/li>\n<li>As a Manager&#8230;I want to be the only one who can edit Employee salaries so that I can prevent fraud.<\/li>\n<li>As a Business Owner&#8230;I want all security critical actions logged, so that attacks can be noticed and diagnosed.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Building Assurance &#8220;Depth First&#8221;<\/strong><\/span><\/p>\n<ul>\n<li>Identify most important security concerns and their required security mechanisms<\/li>\n<li>Within sprints, or in periodic security sprints develop test methods for them and their use, configure\/implement\/analyze these security mechanisms, and run the tests<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Implement Stakeholder Security Stories<\/strong><\/span><\/p>\n<ul>\n<li>Security stories are implemented just like other stories.\u00a0 Test-driven development (unit test cases come before the code).\u00a0 Continuous reviews and inspection (pair programming\/constant information reviews)<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Test Cases for Security Controls<\/strong><\/span><\/p>\n<ul>\n<li>Security &#8220;requirements&#8221; are defined by developing test cases.\u00a0 Unit tests can test both positive (functional) and negative (not broken) aspects of security mechanisms.\u00a0 Tests are repeatable, providing full regression testing.\u00a0 But not true penetration testing or analysis.<\/li>\n<li>Real experience with test driven development.\u00a0 The OWASP Enterprise Security API.<\/li>\n<li>Results in significant increase in assurance<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Test Cases for Security Stories<\/strong><\/span><\/p>\n<ul>\n<li>Functional test cases.\u00a0 Typical unit testing by developers.\u00a0 Verify presence and proper function of security control.\u00a0 May include simple tests with a browser.<\/li>\n<li>Security test cases.\u00a0 Check for best practices.\u00a0 Test for common pitfalls.\u00a0 Hopefully, most come with your standard security controls.<\/li>\n<li>Test cases provide strong assurance evidence<\/li>\n<li>Independent security testing.\u00a0 Verifies that functional and security tests were performed.\u00a0 Provides additional specialized security testing expertise.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Periodic Security Sprints<\/strong><\/span><\/p>\n<ul>\n<li>As necessary, build\/integrate related security controls.\u00a0 Implemente highest priority related security controls first.\u00a0 Leveraging your standard security components is key.\u00a0 Building significant new security controls is hard.\u00a0 Security sprints may even be completely avoided if sufficient standard components are available.<\/li>\n<li>Examples: Authentication, sessions, authorization, validation, canonicalization, encoding, error handling, logging, intrusion detection<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Perform Agile Security Reviews<\/strong><\/span><\/p>\n<ul>\n<li>Security reviews: verify all are in place and complete.\u00a0 Threat model, security stories, security controls, test cases, test results.\u00a0 Notice:\u00a0 Most are standard agile artifacts, not just add-on security deliverables.<\/li>\n<li>Application code review and penetration testing.\u00a0 Added for critical applications to increase assurance.\u00a0 Manual (tool supported), automated, or both.\u00a0 Within security sprints and\/or predeployment testing.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Example: Agile Access Control<\/strong><\/span><\/p>\n<ul>\n<li>With standard access control components, just make sure &#8220;isAuthorized() is called where needed both in presentation layer and business logic.\u00a0 Stay focused on implementing the functionality<\/li>\n<li>Define user stories aroudn who can do what.\u00a0 Configure your policy for what is most important first.\u00a0 Define and restrict what normal users can do.\u00a0 Policy can be both declarative and programmatic.<\/li>\n<li>How do you test proper implementation?\u00a0 Develop policy specific test cases to make sure policy is enforced properly.<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Security in Agile Summary<\/strong><\/span><\/p>\n<ul>\n<li>Agile can generate assurance well, possibly better<\/li>\n<li>Approach is depth-first, not breadth-first<\/li>\n<li>Getting the right stakeholder security stories is key<\/li>\n<li>In traditional security, assurance comes primarily from expert security reviews at successive stages of development.\u00a0 In agile security, assurance comes from managing the key risks to the security stakeholders.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>This presentation, entitled &#8220;Security in Agile Development: Breaking the Waterfall Mindset of the Security Industry&#8221; was by Dave Wichers, member of the OWASP board and cofounder and COO of Aspect Security. Manifesto for Agile Software Development Individuals and interactions over processes and tools.\u00a0 Working software over comprehensive documentation.\u00a0 Customer collaboration over contract negotiation.\u00a0 Responding to [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[172,76,128,173,12,622],"class_list":["post-115","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-agile","tag-application","tag-appsec","tag-development","tag-owasp","tag-security"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-1R","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=115"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/115\/revisions"}],"predecessor-version":[{"id":116,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/115\/revisions\/116"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}